github.com/kiali/kiali@v1.84.0/business/checkers/peer_authentication_checker.go (about) 1 package checkers 2 3 import ( 4 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 5 6 "github.com/kiali/kiali/business/checkers/common" 7 "github.com/kiali/kiali/business/checkers/peerauthentications" 8 "github.com/kiali/kiali/config" 9 "github.com/kiali/kiali/kubernetes" 10 "github.com/kiali/kiali/models" 11 ) 12 13 const PeerAuthenticationCheckerType = "peerauthentication" 14 15 type PeerAuthenticationChecker struct { 16 PeerAuthentications []*security_v1beta.PeerAuthentication 17 MTLSDetails kubernetes.MTLSDetails 18 WorkloadsPerNamespace map[string]models.WorkloadList 19 Cluster string 20 } 21 22 func (m PeerAuthenticationChecker) Check() models.IstioValidations { 23 validations := models.IstioValidations{} 24 25 validations.MergeValidations(common.PeerAuthenticationMultiMatchChecker(m.Cluster, PeerAuthenticationCheckerType, m.PeerAuthentications, m.WorkloadsPerNamespace).Check()) 26 27 for _, peerAuthn := range m.PeerAuthentications { 28 validations.MergeValidations(m.runChecks(peerAuthn)) 29 } 30 31 return validations 32 } 33 34 // runChecks runs all the individual checks for a single mesh policy and appends the result into validations. 35 func (m PeerAuthenticationChecker) runChecks(peerAuthn *security_v1beta.PeerAuthentication) models.IstioValidations { 36 peerAuthnName := peerAuthn.Name 37 key, rrValidation := EmptyValidValidation(peerAuthnName, peerAuthn.Namespace, PeerAuthenticationCheckerType, m.Cluster) 38 39 var enabledCheckers []Checker 40 41 matchLabels := make(map[string]string) 42 if peerAuthn.Spec.Selector != nil { 43 matchLabels = peerAuthn.Spec.Selector.MatchLabels 44 } 45 enabledCheckers = append(enabledCheckers, common.SelectorNoWorkloadFoundChecker(PeerAuthenticationCheckerType, matchLabels, m.WorkloadsPerNamespace)) 46 if config.IsRootNamespace(peerAuthn.Namespace) { 47 enabledCheckers = append(enabledCheckers, peerauthentications.DisabledMeshWideChecker{PeerAuthn: peerAuthn, DestinationRules: m.MTLSDetails.DestinationRules}) 48 } else { 49 enabledCheckers = append(enabledCheckers, peerauthentications.DisabledNamespaceWideChecker{PeerAuthn: peerAuthn, DestinationRules: m.MTLSDetails.DestinationRules}) 50 } 51 52 // PeerAuthentications into the root namespace namespace are considered Mesh-wide objects 53 if config.IsRootNamespace(peerAuthn.Namespace) { 54 enabledCheckers = append(enabledCheckers, 55 peerauthentications.MeshMtlsChecker{MeshPolicy: peerAuthn, MTLSDetails: m.MTLSDetails, IsServiceMesh: false}) 56 } else { 57 enabledCheckers = append(enabledCheckers, 58 peerauthentications.NamespaceMtlsChecker{PeerAuthn: peerAuthn, MTLSDetails: m.MTLSDetails}) 59 } 60 61 for _, checker := range enabledCheckers { 62 checks, validChecker := checker.Check() 63 rrValidation.Checks = append(rrValidation.Checks, checks...) 64 rrValidation.Valid = rrValidation.Valid && validChecker 65 } 66 67 return models.IstioValidations{key: rrValidation} 68 }